# Redosdru.V Malware that hides in encrypted DLL files to avoid detection by Firewalls

**securitynews.sonicwall.com/xmlpost/redosdru-v-malware-that-hides-in-encrypted-dll-files-to-avoid-detection-by-**
firewalls-may-112016/

May 11, 2016

The Dell Sonicwall Threats Research team observed reports of a New Malware family
named GAV: Redosdru.V actively spreading in the wild. This time attackers used a dropper
to download the original Malware that hides in encrypted DLL files to avoid detection by
Firewalls.

**Infection Cycle:**

**Md5:**

**807db66fd414f3eb5e74e10fc4309ae3**

The Malware adds the following files to the system:

**Malware.exe**

C:Program FilesAppPatchNetsyst96.dll

C:Program FilesMicrosoft FduoodFduzjyw.exe

The Trojan adds the following keys to the Windows registry to ensure persistence upon
reboot:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

Wsejti gzuaqwud=C:Program FilesMicrosoft FduoodFduzjyw.exe

Once the computer is compromised, the malware copies its own files to AppPatch folder.


-----

The Malware tries to download encrypted DLL file from its own C&C server from following
domain:

Here is an example of encrypted DLL file:

**Command and Control (C&C) Traffic**

**Redosdru.V performs communication over 9925 and 60321 ports. The malware sends your**
system information to its own C&C server via following format, here is an example:


-----

We have been monitoring varying hits over the past few days for the signature that blocks
this threat:

SonicWALL Gateway AntiVirus provides protection against this threat via the following
signature:

**GAV: Redosdru.V (Trojan)**


-----